values returned for host are the same and in same format as for MachineName.. so i would like to use host=$variable$ to be passed to the other source, MachineName, to display DesktopGroupName, from xendesktop... joining two searches into one panel, as i can do it for each search alone.

HI @janitka,
Ok try this

 (index = "windows" sourcetype="Script:InstalledApps" ) OR (sourcetype="xendesktop:7:machine" 'xd_index' MachineName="$XXX$") host="$MachineName$"
 | stats values(DisplayName) AS DisplayName values(DisplayVersion) AS DisplayVersion values(MachineName) AS MachineName values(DesktopGroupName) AS DesktopGroupName BY host

Ciao.
Giuseppe

HI @janitka,
join isn't a performant command, I hint you to explore an approach as the one described in my solution.
Ciao.
Giuseppe

hello,

your search is resulting in bellow

https://imgur.com/d6u6Dxm

because for the second source, host is used for server names, in first for every machine.

When i sort it by MachineName, and not host, i miss DisplayName and DisplayVersion.

Regards,
Jan

HI @janitka,
I don't like join because it's slow, try something like this:

(index = "windows" sourcetype="Script:InstalledApps") OR sourcetype="xendesktop:7:machine"
| eval host=if(sourcetype="Script:InstalledApps",MachineName,host)
| stats values(MachineName) AS MachineName values(DesktopGroupName) AS DesktopGroupName values(DisplayName) AS DisplayName values(DisplayVersion) AS DisplayVersion BY host
| table MachineName DesktopGroupName DisplayName DisplayVersion

Ciao.
Giuseppe

Important stuff is in this topic, one search is
index = "windows" sourcetype="Script:InstalledApps" host="$MachineName$" | table host DisplayName DisplayVersion

other one
sourcetype="xendesktop:7:machine" 'xd_index' MachineName="$XXX$" | table MachineName DesktopGroupName